API Reference > Endpoints > Payment Method

Payment Method

This endpoint is used to inform Ravelin of payment methods being saved or used by a customer account.

The data that you use to populate the payment method varies between payment service providers (PSP) after tokenization. If your PSP is unable to provide you with a suitable instrument ID you should allow Ravelin to generate instrument IDs on your behalf by submitting either full PANs, or client-side encrypted cards. For more information, please refer to our PCI DSS documentation.

Ravelin does not accept submission of the CVV, PIN or magnetic stripe data to any of our API endpoints.

To request a recommendation at this endpoint use the Payment Method Registration checkpoint.

POST api.ravelin.com/v2/paymentmethod

timestamp integer

required

The time at which this data payload was valid. When sending events in realtime, this will usually be 'now'. This is used to merge data that arrives out-of-order.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

eventType string

optional

An eventType should identify what event in your system triggered this API call.

Pattern: ^[a-zA-Z0-9][a-zA-Z0-9-_]*$

customerId string

optional

The unique identifier of the customer. If your system allows anonymous checkout then we recommend making this the customer's email address.

tempCustomerId string

optional

A temporary ID for a customer when the real account ID has yet to be minted. This must eventually be sent in conjunction with a real customer ID to migrate the data into the full customer account.

paymentMethod object

optional

The payment method being registered by the customer.

One of the following:

card: A credit or debit card.

Show definition

methodType string

required

Vault card payment method indicator.

One of: card, creditcard, or debitcard.

paymentMethodId string

required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

scheme string

optional

The card network or scheme, such as visa or mastercard. Ravelin will identify the scheme on your behalf if you send the cardBin, which should be preferred.

instrumentId string

important

A unique identifier for the physical card, shared between customers. Used to link cards in Connect. Must not be a hash of the PAN.

If you use multiple PSPs who each generate their own equivalent of an instrumentId, you should consider prefixing their values to indicate their origin to avoid collisions. Common examples include Stripe's fingerprint, or Braintree's unique_number_identifier).

pan string

pci, optional

The full Primary Account Number of the card. Used by Ravelin to generate the instrumentId for this card. If specified, you do not need to provide instrumentId, cardBin or cardLastFour.

Only PCI DSS SAQ-D certified merchants should submit the PAN to Ravelin. You must not send requests containing this field to api.ravelin.com, and must instead use pci.ravelin.com.

Please see our PCI DSS documentation for more information.

cardBin string

important

The first six or eight digits of the card number/PAN. The Bank Identification Number (BIN), recently more commonly known as the Issuer Identification Number (IIN).

Given the BIN, Ravelin will populate the issuer, country of issuance, and card type on your behalf.

cardLastFour string

important

The last four digits of the card number/PAN. Please note this will be truncated to the last two digits when an eight digit BIN is provided.

issuer string

optional

The card issuer, who the true cardholder will report fraud to. Ravelin will identify the issuer on your behalf if you send the cardBin, which should be preferred.

prepaidCard boolean

optional

Whether this is a prepaid debit card. Ravelin will identify whether the card is prepaid on your behalf if you send the cardBin which should be preferred.

countryIssued string

optional

The country that the card was issued in. Ravelin will identify the country of issuance on your behalf if you send the cardBin, which should be preferred.

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

expiryMonth integer

important

The expiry month of the card.

expiryYear integer

important

The expiry year of the card.

eWallet string

optional

deprecated

The e-Wallet to which the customer associated the card.

One of: applepay, googlepay, samsungpay, amazonpay, or visacheckout.

nameOnCard string

important

The cardholder name.

billingAddress object

important

The address of the registered cardholder, as used to pass AVS checks. It is common to have fewer location details for this address, but provide what you have.

Show definition

corporateCard boolean

optional

Whether this payment method is a corporate card.

virtualCard boolean

optional

Whether this payment method is a virtual card.

successfulRegistration boolean

optional

Whether the card was successfully registered with your gateway/PSP.

registrationTime integer

important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

lastVerified integer

optional

The time at which the payment method was last verified by the customer. An example mechanism would be a random amount charged to the customer's card that they can confirm the amount of.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

compromised boolean

optional

Whether the card has been compromised.

compromisedReason string

important

The reason why the card is considered compromised.

One of: cloned, databreach, found, lost, stolen, frozen, defrosted, or uncompromised.

custom object

optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

active boolean

optional

deprecated

Whether this card is still saved to the customer's account.

banned boolean

optional

deprecated

Whether this card has been banned.

nickName string

optional

deprecated

The nickname the customer has given the payment method.

cardType string

optional

deprecated

The card network or scheme, such as visa or mastercard. Ravelin will identify the cardType on your behalf if you send the cardBin, which should be preferred.

paymentMethodCipher: An encrypted payment method, containing the full card details encrypted via a Ravelin SDK.

Show definition

methodType string

required

Client-side encrypted card payment method indicator.

Only: paymentMethodCipher.

cardCiphertext string

required, pci

The card ciphertext produced by the Ravelin SDK card encryption.

This field constitutes cardholder data, and submission of this field therefore requires PCI DSS SAQ-A or SAQ-AEP certification. You must not send requests containing this field to api.ravelin.com, and must instead use pci.ravelin.com.

Please see our PCI DSS documentation for more information.</p>

aesKeyCiphertext string

required

The AES Key ciphertext produced by the Ravelin SDK card encryption.

algorithm string

required

The algorithm used to generate the ciphertexts.

paymentMethodId string

optional

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

ravelinSDKVersion string

optional

The version of the Ravelin SDK that performed this encryption.

keyIndex integer

optional

The index of the public RSA key used to encrypt the card.

keySignature string

optional

An identifier for the public key used during encryption.

billingAddress object

optional

Show definition

registrationTime integer

optional

When the payment method was added to the customer's account. Note: this is not the card start date.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

ravelinjsVersion string

optional

deprecated

The version of the ravelinjs library that performed this encryption.

cash: The customer is paying in cash, or a cash-based payment method.

Show definition

bankaccount: Bank Accounts.

Show definition

methodType string

required

Bank account indicator.

Only: bankaccount.

paymentMethodId string

required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

transferType string

required

The type of transfer: whether the customer is initiating the payment, or you are withdrawing funds from the customer's bank account based on an agreement to initiate payments on their behalf. Use "push" for a customer-initiated payment (e.g. a bank transfer) and "pull" for a merchant-initiated payment (e.g. Direct Debit).

One of: push, or pull.

scheme string

important

The name of the payment scheme or instrument used for the transfer of funds.

iban string

optional

IBAN (International Bank Account Number) Following the ISO 13616:2007 standard.

countryIssued string

optional

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

accountAddress object

optional

Show definition

accountOwnerName string

optional

The name of the account owner.

bankCode string

optional

Code assigned by central bank to identify bank that account is associated with. Multiple bank code formats are supported.

bankName string

optional

Name of bank which account belongs to.

bic string

optional

BIC - business identifier code for banks and other institutions. Following the ISO9362 standard.

accountNumber string

optional

The account number issued by the bank.

nickName string

optional

The nickname for the payment method that the customers gives, if applicable.

registrationTime integer

important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

custom object

optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

paypal: PayPal payments.

Show definition

methodType string

required

PayPal indicator.

Only: paypal.

paymentMethodId string

required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

payerId string

optional

PayPal payer ID.

email string

important

Account email address.

billingAddress object

optional

The address of the account holder. It is common to have fewer location details for this address, but provide what you have.

Show definition

registrationTime integer

important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

lastVerified integer

optional

The time at which the payment method was last verified by the customer. An example mechanism would be a random amount charged to the customer's card that they can confirm the amount of.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

nickName string

optional

The nickname for the payment method that the customers gives, if applicable.

countryIssued string

optional

The two-character IS0-3166-1 account country_code sent by PayPal.

verifiedAccount boolean

optional

The customer’s PayPal account status. Indicates whether the account is verified or not.

custom object

optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

banned boolean

optional

deprecated

If the payment method has been banned

active boolean

optional

deprecated

Whether the payment method is active for use by this account

credit: This payment method type should be used for any payments made using credit that a customer has with the merchant.

Show definition

invoice: This payment method should be used whenever the merchant provides credit to the customer.

Show definition

methodType string

required

Invoice payment indicator.

Only: invoice.

paymentMethodId string

required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

scheme string

important

The name of the invoice or 'buy now, pay later' scheme used, if applicable.

registrationTime integer

optional

When the payment method was added to the customer's account.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

lastVerified integer

optional

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

accountOwnerName string

optional

The nickname for the payment method that the customers gives, if applicable.

accountAddress object

optional

Show definition

email string

optional

The email address used by the customer to register an invoice or 'buy now, pay later' payment method.

custom object

optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

wallet: A digital wallet payment method.

Show definition

methodType string

required

Vault card payment method indicator.

Only: wallet.

paymentMethodId string

required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

scheme string

required

The name of the digital wallet scheme or electronic payment service.

cardScheme string

optional

The card network or scheme of the card used within a wallet payment method, such as visa or mastercard. Ravelin will identify the cardScheme on your behalf if you send the cardBin, which should be preferred.

instrumentId string

important

A unique identifier for the physical card, shared between customers. Used to link cards in Connect. Must not be a hash of the PAN.

pan string

pci, optional

The full Primary Account Number of the card. Used by Ravelin to generate the instrumentId for this card. If specified, you do not need to provide instrumentId, cardBin or cardLastFour.

Only PCI DSS SAQ-D certified merchants should submit the PAN to Ravelin. You must not send requests containing this field to api.ravelin.com, and must instead use pci.ravelin.com.

Please see our PCI DSS documentation for more information.

cardBin string

important

The first six digits of the card number/PAN. The Bank Identification Number (BIN), recently more commonly known as the Issuer Identification Number (IIN).

Given the BIN, Ravelin will populate the issuer, country of issuance, and card type on your behalf.

cardLastFour string

important

The last four digits of the card number/PAN.

cardType string

optional

deprecated

The card network or scheme, such as visa or mastercard. Ravelin will identify the cardType on your behalf if you send the cardBin, which should be preferred.

issuer string

optional

The card issuer, who the true cardholder will report fraud to. Ravelin will identify the issuer on your behalf if you send the cardBin, which should be preferred.

prepaidCard boolean

optional

Whether this is a prepaid debit card. Ravelin will identify whether the card is prepaid on your behalf if you send the cardBin which should be preferred.

countryIssued string

optional

The country that the card was issued in. Ravelin will identify the country of issuance on your behalf if you send the cardBin, which should be preferred.

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

expiryMonth integer

important

The expiry month of the card.

expiryYear integer

important

The expiry year of the card.

nameOnCard string

important

The cardholder name.

billingAddress object

important

The address of the registered cardholder, as used to pass AVS checks. It is common to have fewer location details for this address, but provide what you have.

Show definition

successfulRegistration boolean

optional

Whether the card was successfully registered with your gateway/PSP.

registrationTime integer

important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

lastVerified integer

optional

The time at which the payment method was last verified by the customer. An example mechanism would be a random amount charged to the customer's card that they can confirm the amount of.

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

custom object

optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

active boolean

optional

deprecated

Whether this card is still saved to the customer's account.

banned boolean

optional

deprecated

Whether this card has been banned.

nickName string

optional

deprecated

The nickname the customer has given the payment method.

fromTransaction: Refer to the payment method used by a named transaction. For usage examples, see Saving payment methods after checkout and Associating refunds with payment methods.

Show definition

~~directdebit: Direct Debits.~~ - deprecated.

Show definition

methodType string

required

Direct Debit indicator.

Only: directdebit.

paymentMethodId string

required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

transferType string

required

Bank transfer type

Only: directdebit.

scheme string

required

The type of direct debit scheme.

One of: autogiro, bacs, becs, becsnz, betalingsservice, or sepa.

iban string

optional

IBAN (International Bank Account Number) Following the ISO 13616:2007 standard.

countryIssued string

optional

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

accountAddress object

optional

Show definition

accountOwnerName string

optional

The name of the account owner.

bankCode string

optional

Code assigned by central bank to identify bank that account is associated with. Multiple bank code formats are supported.

bankName string

optional

Name of bank which account belongs to.

bic string

optional

BIC - business identifier code for banks and other institutions. Following the ISO9362 standard.

accountNumber string

optional

The account number issued by the bank.

mandateRef string

optional

The unique reference issued for the direct debit mandate.

mandateURL string

optional

A URL to access the direct debit mandate agreement.

nickName string

optional

The nickname for the payment method that the customers gives, if applicable.

custom object

optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

~~banktransfer: Bank Transfers.~~ - deprecated.

Show definition

methodType string

required

Bank transfer indicator.

Only: banktransfer.

paymentMethodId string

required

A unique identifier for this payment, specific to this customer. Two customers should not use the same paymentMethodId.

transferType string

required

Bank transfer type

One of: bancontact, eps, giropay, ideal, inghomepay, sofort, or sepa.

iban string

optional

IBAN (International Bank Account Number) Following the ISO 13616:2007 standard.

countryIssued string

optional

A ISO 3166-1 Alpha 3 or Alpha 2 country code.

accountAddress object

optional

Show definition

accountOwnerName string

optional

The name of the account owner.

bankCode string

optional

Code assigned by central bank to identify bank that account is associated with. Multiple bank code formats are supported.

bankName string

optional

Name of bank which account belongs to.

bic string

optional

BIC - business identifier code for banks and other institutions. Following the ISO9362 standard.

accountNumber string

optional

The account number issued by the bank.

nickName string

optional

The nickname for the payment method that the customers gives, if applicable.

registrationTime integer

important

The time that the card was saved to the customer's account. (Not the card start date.)

A unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC (nanoseconds are also accepted).

custom object

optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

~~Others~~ - deprecated.

Show definition

Removal: Used for marking a saved payment method as removed from the account.

Show definition

device object

optional

The device used by the customer to trigger this update.

Show definition

deviceId string

required

The ID of the device used by the customer to trigger this update.

ipAddress string

important

The IP address of the device connecting to your services. Used in fraud and account-takeover detection.

When extracting this IP address, consider X-Forwarded-For.

language string

optional

The ISO 639 code of your customer's device's preferred language, or the IET Language Tag (BCP 47) values from the browser's Accept-Language header.

userAgent string

important

The browser user-agent string, if the device represents a web browser - window.navigator.userAgent.

model string

important

The model/identifier name of the device if the device represents a native app. See here for iOS models: https://www.theiphonewiki.com/wiki/Models and here for Google Play supported models: http://storage.googleapis.com/play_public/supported_devices.csv.

os string

important

The operating system that the device is running.

type string

optional

The type of device.

One of: computer, phone, or tablet.

manufacturer string

optional

The maker of the device.

location object

optional

The geolocated position of the device.

Show definition

custom object

optional

Custom data that is relevant to your domain. This can be any json object. Please include any details that you think are relevant to fraud that our schema does not capture.

browser string

optional

deprecated

The name of the web browser being used, if applicable. Prefer userAgent.

javascriptEnabled boolean

optional

deprecated

Whether Javascript is enabled on the web browser.

cookiesEnabled boolean

optional

deprecated

Whether cookies are enabled on the web browser.

screenResolution string

optional

deprecated

The resolution of the screen on the device in the format XxY

deviceId string

optional

The ID of the device used by the customer to trigger this update.

POST /v2/paymentmethod HTTP/1.1
Authorization: token ...
Content-Type: application/json

{
  "timestamp": 1512828988826,
  "customerId": "abc-123-ZYZ",
  "tempCustomerId": "abc-123-XYZ",
  "paymentMethod": {
    "methodType": "card",
    "paymentMethodId": "pm-abc123",
    "scheme": "visa",
    "instrumentId": "fp_abc123",
    "cardBin": "535522",
    "cardLastFour": "0001",
    "expiryMonth": 7,
    "expiryYear": 2020,
    "eWallet": "applepay",
    "nameOnCard": "John Smith",
    "billingAddress": {
      "country": "GBR",
      "postalCode": "E1 1AA",
      "latitude": 51.503252,
      "longitude": -0.127899,
      "addresseeName": "John Smith",
      "street1": "123 fake st.",
      "street2": "floor 4, flat 48",
      "neighbourhood": "Hackney",
      "zone": "1",
      "city": "London",
      "region": "California",
      "poBoxNumber": "1234"
    },
    "corporateCard": true,
    "virtualCard": true,
    "successfulRegistration": true,
    "registrationTime": 1512828988826,
    "lastVerified": 1512828988826,
    "compromised": true,
    "compromisedReason": "stolen"
  },
  "device": {
    "deviceId": "65fc5ac0-2ba3-4a3b-aa5e-f5a77b845260",
    "ipAddress": "81.152.92.84",
    "language": "en-US",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
    "model": "Pixel XL",
    "os": "android",
    "type": "phone",
    "manufacturer": "google",
    "location": {
      "country": "GBR",
      "postalCode": "E1 1AA",
      "latitude": 51.503252,
      "longitude": -0.127899,
      "addresseeName": "John Smith",
      "street1": "123 fake st.",
      "street2": "floor 4, flat 48",
      "neighbourhood": "Hackney",
      "zone": "1",
      "city": "London",
      "region": "California",
      "poBoxNumber": "1234"
    }
  }
}

Response

status integer

The HTTP response status code.

timestamp integer

A unix timestamp indicating when we finished handling the request.

message string

If an error has occurred, a description of the error.

data object

Contains our recommendations and related details.

Show definition

action string

Our payment fraud recommendation.

Use this to determine how you should handle the order.

One of: ALLOW, REVIEW, or PREVENT.

score integer

The fraud score produced by the machine learning model. A value between 0 and 100. The higher the number the more fraudulently the model scored the customer.

This may not be the source of the final recommendation, see source.

source string

The source of the action recommendation.

Do not implement any logic based upon this field, we may add new values in the future without warning.

One of: CHARGEBACK, LOOKUP, MANUAL_REVIEW, NETWORK, RATE_LIMIT, RAVELIN, or RULE.

customerId string

The ID of the customer to which this recommendation applies.

scoreId string

A unique ID for this score.

transactionOptimisation object

If transaction optimisation is enabled, and a transaction optimisation recommendation was requested, this will contain the recommendation and related details.

Show definition

warnings array

Warnings when the data you are sending may negatively impact fraud detection.

Show definition

cachedScore boolean

In order to provide resiliency, on the rare occasion that Ravelin isn’t able to calculate a fraud score, a cached score is used to determine the action. If a cached score was used, this field will be true.

effectiveTime string

Response Version 1

Specifies the time the score was originally calculated. Uses the format 2020-01-01T00:00:00.00000000Z.

comment string

Response Version 1

If the customer was manually reviewed, the comment left by the reviewer.

rules object

Response Version 2

Contains details about the rules which were triggered by this customer.

Show definition

connect object

Response Version 2

Contains details about the network the customer is connected to.

Show definition

lookup object

Response Version 2

Contains details about the Lookup results for the customer.

Show definition

market object

Response Version 2

Contains details about the market for the customer.

Show definition

thresholds object

Response Version 2

Contains details about the machine learning fraud score thresholds.

Show definition

orderId string

Response Version 3

The ID of the order used to calculate the recommendation, typically the customer's latest order.

transactionId string

Response Version 3

The ID of the transaction used to calculate the recommendation, typically the customer's latest transaction.

{
  "status": 200,
  "timestamp": 1512828988826,
  "data": {
    "action": "ALLOW",
    "score": 12,
    "source": "RAVELIN",
    "customerId": "abc-123-ZYZ",
    "scoreId": "2bf39d-d1299-31",
    "transactionOptimisation": {
      "transactionId": "123-abc-XYZ",
      "action": "AUTHENTICATE",
      "exemption": "TRANSACTION_RISK_ANALYSIS",
      "threeDSChallengePreference": "NO_CHALLENGE_REQUESTED",
      "actionSource": "CLIENT_RULE",
      "rules": {
        "triggered": [
          {
            "ruleId": 1,
            "ruleVersion": 1,
            "action": "AUTHENTICATE",
            "exemption": "TRANSACTION_RISK_ANALYSIS",
            "threeDSChallengePreference": "NO_CHALLENGE_REQUESTED",
            "triggered": true,
            "state": "active"
          }
        ]
      }
    },
    "warnings": [
      {
        "class": "customer-not-found",
        "help": "https://developer.ravelin.com/api/warnings/#customer-not-found",
        "msg": "Customer \"abc-123-ZYZ\" not found."
      }
    ]
  }
}

Feedback

Was this page helpful?